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What is a MyNOC ? 



• MyNOC - My Network Operations Centre 

- A Space 

- A Concept 
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A Space 



• Analyst Desktop X 1 0 

• Un-attributable internet X 10 

• JTRIG Desktop 

• HIGHNOTE - CNE Toolsuite 

• COPPERHEAD - CNE Attack box 

• NEXUS (BSS Desktop) 

• CADDIS (SIS Desktop) 

• NRT Tipping Display 

• 65” VTC/Collaborative Monitor and Projector 

• Virtual Whiteboarding tool and Whiteboard 

• Secure telpehony / storage 
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A Space 




MyNoc Locations 

The MyNocs are located as follows and contain the following capabilities; 

■ MyNOCT A4a, 

■ MyNOC2 C4c, 

- MyNOC3 □■Id 

■ MyNOC4 C4d 

■ MyNOCS A4f 

GENERAL GENERAL GENERAL 

A4a-C29-1 A4a-C29-2 A4a-C29-3 



A4a-C29-9 A4a-C29-8 A4a-C29-7 



-BRENT 

- RU3SETT PHONE 

^B£FU^!iL ACCOUNT- MyHOO-l > 

-CADDIS 

- rjRfiFRUS 

- E-BEAM 
-NEXUS 
-FIA 

-JEDE 

- VIDEO 5WIIUH HUX 

- AtTtJOAKU+MOUSfc 
-QPU7 

- KVM SWJTCH 

- FOOT PEDAL 

- 3x20* BCRECNB 
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Interlopers in A Space 
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A Concept 



• Collaboration environment bringing together capability from 

across GCHQ. 

• Appropriate resources identified / Appropriate prioritisation 

• Formalised planning process 

- Clear Focused objectives 

- Selection of Operations Manager 

- Preparation 

- Review 

• Assessment and feasibility 

• Professional Operations Manager 

- Ensure operation is focused on stated objectives 

- Ensures operation is legal 

- Protects information equities 
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MyNOC & NAC 



• NAC tasked with development of “greater good” capability in 
Mobile/Mobile Internet environment. 

• Due to lack of progress decision made to sponsor three MyNOC 
events: 

- OP WYLEKEY - Exploitation of International Mobile Billing Clearing Houses 

- OP SOCIALIST - Exploitation of GRX Operator 

- OP INTERACTION - Development of in-depth knowledge of Mobile 



Gateways 
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MyNOC Team assemble 



Operations Manager T 

Network Analysts ( NAC Cheltenham, NAC Bude & NAC 
Cyprus) 

Dataminer (GTAC) 

Open Source Specialist 

JTRIG Analysts (Cheltenham & Bude) 

CNE Operators (Cheltenham CNE & Scarborough CNE) 
VPN Expert (Crypt SD) 

EREPO Expert (CNE) 

Protocol Analyst (GTE) 

Production Tasking Co-ordinator (PTC) 

Trainee Ops Managers 
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One Month Later - OP SOCIALIST 



• Scoping session conducted - main focus to be on enabling CNE 
access to BELGACOM GRX Operator 

• Ultimate Goal - enable CNE access to BELGACOM Core 
GRX Routers from which we can undertake MiTM 
operations against targets roaming using Smart Phones. 

• Secondary focus - breadth of knowledge on GRX Operators 

• Operations Manager assigned, team assembles 
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Preparation work 



• Identified static web gateways and IP range used by engineers 
and tasked for QUANTUM operations 

• Identification and tasking of optimal bearers 

• TDI data mining identified potential for exploitation of Linkedln 
as a vector for Ql - Ql capability developed for Linkedln 

• WOODCUTTER logs analysed for usage by BELGACOM. 
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MyNOC Focus 



• Expand collection and capability to enable better exploitation 
of Belgacom. 

• Identify key staff at BICS, and selectors used by these 
individuals for Ql. 

• Map the network to better understand the Belgacom 
Infrastructure. 

• Investigate VPN links from BICS to other telecoms providers. 

• Investigate the vulnerability of the MyBICS Reporting Tool. 
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Infrastructure 



BGP session between AS 1234 a*sd AS6774 (Main) 




>5 Melts 






6'CSGRK 



Waji I BlCSCFE 



stWfcH'S 



AS 4321 



BGP session tesweeriAS 1234 and *$677* tBacfc-up) 
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Eelbone management seivers 
1.84.1 7.0/24 - SN VIP comnuni^ 
name 83L80N3 



□ u 



193.43.236.1 

HTPSERVER 



193.41.236 12S 
HAMESERVER - 
g nud ns. be I b o n e . g rx 
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Key BELGACOM staff 



• Identify Belgacom employees 

- NOC staff 

- In areas related to maintenance or security 

• Selectors to enable QUANTUM targeting 

- Use of Linkedln noted 

- Use of Slashdot.org noted 

• MUTANT BROTH used to identify TDI/Selectors coming from 
identified range/proxy 

• Ql capability enhanced to allow shots on Linkedln 

• Ql capability enhanced to allow ‘white listing’ when shooting on 
proxy 
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NOC IP range search in MUTANT BROTH 



MUTANT BROTH 



Identifier Search 



IP Address Search 



Password Search 



IP Preset Searsh 



Legal Context 

This is a powerful technique that allows you to pull back, presence events for an IP network , 

Yon must moke sure that your HR* juibficabon (Jts-agon) clearly explains why you are querying on an IP network, as you are morn likely to ratrieva the communications of innocent individuals as well as tan 
Your queries will be logged for audit, 

You should use Trees route or DNS look up first so that only IP prefixes registered or associated with the target networks are queried, 

If .ou suspect that the IP prefix is dynamic, you must either combrne this search with another filter eg an HHFP or limit the query length to 60 minutes, 

If after running the query., it is clear that the IP prefix is dynamic, you should not look at the results as they are unlikely to relate to your target, 

Search for IP address prefixe; 

Enter the set IP address prefixes. 

The IP address range must be specified as: < dotted decimal IP >/< prefix length > 

Example: 172,16,17.0/23 

192 , 163 . 4.5 

192.168.123.0/17 

Prefix lengths of less then 16 bits will be ignored, 

Absent lengths are assumed to be 32 bits. 

Optionally enter the HHFP or the time period start and search length in minutes, 




MIRANDA 20135 



JIC 2 



Search length (minutes) 20000 



Purpose NS 



Reason Belgacom resea ch 



Execute 
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Source IP 



SO. 84. 19.9 
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NOC IP range - Target identifiers for QUANTUM INSERT 



User -Age! 






Non 


Source 

IP'.HHFP 




Identifier 

Type 


Mozilla/5.0 (X 
Mozilla/5.0 (X 


Date 


Time 


Routine 

Source 


Source IP Geo 


17/05/1 1 


00:02:54 




80.84,19,9:d23bad41 


50.83; 4,33; BRUSSELS; BE; 7LLM 


Vahoo-B-Cookie 


Mozilla/5.0 (X 


Mozilla/5.0 (X 


17/05/1 1 


00:02:59 




80.84.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LLM 


Vahoo-B-Cookie 


Mozilla/4.0 (ct 














Mozilla/5.0 (X 


17/05/1 1 


00:02:59 




30.34.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Vahoo-B-Cookie 


Mozilla/5.0 (U 














Mozilla/5.0 (X 


17/05/1 1 


00:05:37 




30.34.1 9.9: 5eec974d 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 


Mozilla/5.0 












Cookie 


Mozilla/5.0 (X 
Mozilla/5.0 (X 
Mozilla/5.0 (V; 


17/05/1 1 


00: 16: IS 




80.84.19.9:7d9134a5 


50. S3; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00: 17:53 




30.34.1 9.9: 77337b02 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:23:35 




30.34.1 9.9: e4a90e3f 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:23:05 




80.84.19.9:7d9134a5 


50. S3; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:37:34 




30.34.19.9:b36315d3 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:39:55 




30.34.1 9. 9:fl2397e0 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:47:56 




S0.S4.19.9:477c4721 


50. S3; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 














Cookie 




17/05/1 1 


00:54:33 




30.34.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 



Event Count (%) 
Identifier 

Value 




.(4 %) 

(4 %) 

(2 %) 

(o %) 

(l %) 

6 (16 %) 
(4 %) 
2(14 %) 
(0 %) 

4 (23 %) 
2(13 %) 
(3 %) 
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Real-time picture of Ql 
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GTAC effort 



• IR21 extractions 

• Website research - domains visited from target gateway IPs 

• TDI harvesting 

• Identified owners of TDIs / finding new potential targets 

• Identified the FTP service 

• User agent analysis 

• Laptop identification 

• Mail server analysis 

• SSL research 

• GRX analysis 
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What MyNOC Priority gets you 



• Dedicated resources 

• Priority tasking of access 

• Priority utilisation of CNE Operator resources 

• Priority utilisation of CNE Developer resources 

• Priority use of enabling community (GTE, GTAC, JTRIG) 

• Priority time of legalities bodies 
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OP SOCIALIST Outcome 



• In MyNOC: 

- CNE Access to BELGACOM - MERION ZETA - 6 endpoints into 
Engineer/support staff IP range 

- 2 endpoints into BELGACOM DMZ (from prep VA work) 

- Optimal Bearers identified providing good access to BELGACOM proxy. 

• Post MyNOC: 

- Optimal Bearers continue to allow Ql against BELGACOM engineers/proxy 

- Internal CNE access continues to expand - getting close to access core 
GRX Routers - currently on hosts with access 

- NAC continue to support with Network Analysis 
of internal networks, network understanding 
research on credentials and identification of 
engineers/system administrators and their 
specific roles. 
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MyNOC leave behinds for NAC 




Focused working in small groups 
Regular Brainstorming sessions 
Professional Operational Management 
Network becomes Target - Target approach to 
Network Problems 

Awareness of JTRIG and Open-source information specialist 
capabilities and how they can support Network Analysis. 

Steerage of access for Network Analysis gain 

Closer working between NAC and CNE 

Joint working between NACs 

More NAC MyNOC/Focus efforts to come.... 
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Questions ? 
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